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(57) Abstract 



An integrated circuit includes secure logic that requires protection. Secure assurance logic protects the secure logic. The secure 
assurance logic includes a plurality of protection modules that monitor the occurrence of insecure conditions. Each protection module 
monitors a different type of insecure condition. Each protection module asserts an alarm signal when an associated insecure condition is 
detected. The alarm signals asserted by the plurality of protection modules are stored. 
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INTEGRATION OF SECURITY MODULES ON AN INTEGRATED 

CIRCUIT 

TECHNICAL FIELD 
5 The present invention concerns security protection within an 

integrated circuit design and pertains particularly to integration of security 
modules on an integrated circuit. 

BACKGROUND 

10 For some processing applications, it is essential to operate in a secure 

environment so that operations cannot be probed or altered. In the prior art, 
various methods have been used to provide for a secure processing 
environment. 

For example, a mechanical chassis can be used to house processing 
15 equipment. This mechanical chassis can include tamper switches and 
other elements to detect and protect against tampering and alterations. 
Unfortunately, such a mechanical chassis can add a significant amount of 
expense to a product. 

Alternatively, in order to restrict access to particular integrated 
20 circuits, the integrated circuits can be covered with epoxy or other chemical 
materials to hinder access. Unfortunately, often this can be easily defeated 
and so provides only a nominal amount of protection. 

Another method to provide for a secure processing environment is to 
implement the system on a single integrated circuit. A portion of the 
25 integrated circuit, for example, can be used to perform secure operations. 
However, there may still be attempts to defeat this arrangement. 
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For example, an attacker may attempt to expose information about a 
security key or information about a security system by applying radiation or 
alpha particles in the proper location. The excess radiation or alpha 
particles can result in a single event upset (SEU). The single event upset 
5 can affect the data integrity of a secure operation. If the single event upset 
occurs in an operation related to a security key or data encrypted with the 
security key, this may weaken the effectiveness of the protection within the 
integrated circuit and perhaps provide an avenue to break the security 
system. 

10 Other types of attacks can be perpetrated as well. While there have 

been various types of circuitry added to protect an integrated circuit against 
these have usually be added on an ad hoc basis. There has been no 
integrated effort to protect integrated circuits. 
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SUMMARY OF THE INVENTION 
In accordance with the preferred embodiment of the present 
invention, an integrated circuit includes secure logic that requires 
protection. Secure assurance logic protects the secure logic. The secure 

5 assurance logic includes a plurality of protection modules that monitor the 
occurrence of insecure conditions. Each protection module monitors a 
different type of insecure condition. Each protection module asserts an 
alarm signal when an associated insecure condition is detected. The alarm 
signals asserted by the plurality of protection modules are stored. 

10 In the preferred embodiment, once an alarm signal is asserted, the 

alarm signal is received by a first register. A second register is used for 
masking the alarm signals. The masking performed by the second register 
is used to prevent selected alarm signals from being propagated. This allows 
certain alarms to be blocked during testing of the secure assurance logic. A 

15 third register stores the alarm signals that have been asserted but have not 
been masked by the second register. The integrated circuit can be reset 
when an alarm signal is detected. 

The plurality of protection monitors include, for example one or more 
of the following: a high frequency monitor that detects when a monitored 

20 clock exceeds a predetermined frequency, a low frequency monitor that 
detects when a monitored clock is less than a predetermined frequency, a 
single event detector monitor that monitors single event upsets within the 
integrated circuit, a reset monitor that monitors an amount of times the 
integrated circuit is reset, and a voltage detector that monitors for invalid 

25 voltage levels. 
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In addition, the secure assurance logic generally includes a power- 
on-reset circuit for resetting the integrated circuit to a known state upon 
power-up of the integrated circuit. 

The above-described integration of the protection modules into secure 
5 assurance logic requires that someone attacking the security features of the 
integrated circuit must simultaneously defeat more than one security 
component. This increases the complexity of the attack required to 
successfully circumvent the security features. The integrated solution 
described herein can be used to protect integrated circuits that implement 
10 firmware that must access two independent address spaces. The 

programmable features of secure assurance logic also allows register values 
to be changed separately such that there is no insecure period of overlap in 
the operation of the integrated circuit. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
Figure 1 is a simplified block diagram that shows an integrated circuit 
within which secure assurance logic is used to guard protected logic in 
accordance with a preferred embodiment of the present invention. 
5 Figure 2 is a simplified block diagram that shows secure assurance 

logic that links together electrical protection within an integrated circuit in 
accordance with a preferred embodiment of the present invention. 

Figure 3 is a simplified block diagram that shows additional secure 
assurance logic that links together electrical protection within an integrated 
10 circuit in accordance with a preferred embodiment of the present invention. 

Figure 4 is a simplified block diagram that shows structure of a status 
register shown in Figure 1 in accordance with a preferred embodiment of 
the present invention. 

Figure 5 is a simplified block diagram of power-on-reset logic in 
15 accordance with a preferred embodiment of the present invention. 

Figure 6 is a simplified block diagram of a mode of a power-on-reset 

cell. 
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DISCLOSURE OF THE INVENTION 
Figure 1 is a simplified block diagram of an integrated circuit 11 that 
includes a processor 123, protected logic 112 and other logic 140. Secure 
assurance logic 12 links together electrical protection within integrated 
5 circuit 11. The integration of all secure assurance logic 12 components into 
a single modular protected block allows processor 123 to control and observe 
the protection modules for testing without affecting the security of integrated 
circuit 11. By coupling multiple protection modules together, the security of 
the system is improved since the protection modules now work together. 
10 Additionally reset states for the protection modules can be controlled such 
that power down for IDDq testing (***what is IDDq testing?***) does not 
defeat the security of the integrated circuit. 
Figure 2 is a simplified block diagram of secure assurance logic 12. A 
monitored clock signal (MON_CLK) is placed on a monitor clock signal line 
15 41. Components within secure assurance logic 12 monitor and protect the 
monitored clock. A mask register 29 is used to allow masking of particular 
security assurance features so that individual security features (i.e., alarm 
signals) can be turned off for certain operations via processor 123. This also 
allows each of the features to be tested. Since there are duplicated security 
20 features in integrated circuit 11, the assurance logic can be tested at startup 
without causing a problem and without allowing an opening for an attacker. 

Secure assurance logic 12 includes a high frequency monitor 21, a low 
frequency monitor 22 a single event upset (SEU) detect monitor 24, a reset 
monitor 25, and an over/under voltage monitor 26. 
25 Alarms from the monitoring modules are integrated using a raw 

register 28, mask register 29 and a status register 30. Processor 123, using a 
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bus 45 can read and write information to raw register 28, mask register 29 
and status register 30. 

Raw alarm sources are trapped asynchronously in raw register 28. 
The alarms are output on alarm lines 54. The alarms are masked by values 
5 in mask register 29 prior to being forwarded to status register 30. The 
masked alarms are forwarded to status registers 30 on lines 55. The 
asynchronous trap is required since a valid clock source cannot be 
guaranteed at the time of the alarm. The asynchronous trap is double 
synchronized to the clock domain of processor 123 and then sampled by 
10 status register 30. Once a bit in the status register is set, the corresponding 
asynchronous trap is cleared. An alarm set in status register 30 results in a 
reset signal being placed on a line 57. 

Figure 4 shows an example of logic used within status register 30 for 
double synchronization of an alarm bit. A first delay (D) flip-flop 91 and a 
15 second D flip-flop 92 are connected in series. The D input of D flip flop 19 is 
connected to VDD through a line 94. The clock input of D flip-flop 91 receives 
from mask register 29 a masked alarm bit on a line 95. A clock input 97 of D 
flip-flop 92 receives a system clock (CLK) signal. The Q output of D flip-flop 
92 places a status bit on a line 98. The system clock (CLK) signal is used to 
20 clock all the synchronization blocks and registers of secure assurance logic 
12. A reset signal on a line 40, from synchronization block 32 (shown in 
Figure 2), is used to reset D flip-flop 92. A logic NOR gate 93 is used to 
generate a reset for D flip-flop 91. 

As shown in Figure 2, a power-on-reset cell 27, a software reset placed 
25 on a line 42 and a reset (PINRST_L) line 43 all are used to reset the 
monitoring system. The reset signals are synchronized by a 
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synchronization block 31, a synchronization block 32 and a synchronization 
block 33, connected as shown. A logic OR gate 34 and a logic OR gate 35 
combine the reset signals to form the reset (RSROUT_L) on line 58. A hold 
reset block 36 holds the resets for a predetermined number of clock cycles 
5 and generates a reset delete (RSTDEL_L) signal on a reset delete line 59. 
A soft reset synchronizer 64 (shown in Figure 3) generates the 
software reset placed on line 42. Control register 63 (shown in Figure 3) 
stores two control bits for soft reset synchronizer 64 that are forwarded to soft 
reset synchronizer 64 on a line 79 and a line 80. 

10 Low frequency monitor 22 uses a reference clock that is generated by 

an internal ring oscillator (ROSC) 23 to make comparisons to the monitored 
clock signal (MON_CLK) on monitor clock signal line 41. Ring oscillator 23 
must be used since low frequency monitor 23 needs to be able to detect when 
the monitored clock signal has stopped. Low frequency monitor 22 places a 

15 low frequency alarm on a line 47. 

Since the monitored clock is sampled, low frequency monitor 22 may 
produce a false error at any input clock frequency that violates the Nyquist 
rate. The monitored clock must be less than eight times the frequency of the 
reference clock generated by the ring oscillator. An eight-bit low frequency 

20 value stored in a register 62 (shown in Figure 3) is used to configure low 
frequency monitor 22. 

High frequency monitor 21 is used to ensure the monitored clock 
signal (MON_CLK) on monitor clock signal line 41 is below the maximum 
frequency of the device. Since high frequency monitor 21 uses the critical 

25 path of the device to determine if the clock frequency is too fast, the result is 



BNSDOCID: <WO _0045244A1_I_> 



WO 00/45244 PCT/US99/28289 

9 

an operating point detection that includes monitoring the voltage, process, 
and temperature. 

The high frequency limit is not fixed, but is determined by the 
capability of the device. In a system where there is a best case processed 
5 device at zero degrees with nominal voltage, the frequency of the device is 
allowed to be higher than when operation occurs at high temperature and 
lower voltage. Since the operating point is programmable, high frequency 
monitor 21 can be used to adjust a phased locked loop (PLL) frequency for the 
current operating environment. High frequency monitor 21 places a high 

10 frequency alarm on a line 46. 

An eight-bit high strike value and an eight-bit high frequency value 
stored in a register 61 (shown in Figure 3) are used to configure high 
frequency monitor 21. 

Reset monitor 25 counts the number of resets (reset out signal 

15 (RSROUT_L) on reset out line 58) that are issued. Once the reset limit has 
been reached, reset monitor 25 issues an alarm on a line 51. Reset monitor 
25 can be cleared using a clear strike bit in a control register 63 (shown in 
Figure 3). Software is used to clear reset monitor 25 after completing the boot 
processing for the integrated circuit and waiting a random period of time. 

20 The alarm from reset monitor 51 is used to issue a device reset (if 

unmasked in mask register 29). After reset, further manual resets 
(PINRSTJL) issued on a line 43 are ignored until this alarm has been 
cleared in status register 30. Control register 63 (shown in Figure 3) stores a 
clear bit for reset monitor 51 that is forwarded to reset monitor 51 on a line 

25 78. 
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Over and under voltage detectors 26 are used to protect against a 
voltage level that is not valid for the process technology. The minimum 
operating core voltage and the maximum operating core voltage for the 
process are used as boundaries for the voltage detection. 
5 The voltage ranges specified for the activation ranges of the detectors 

are based on the process technology in which the integrated circuit is 
implemented. Below the under voltage activation range, an under voltage 
error will always be detected. Above the power-on-reset (POR) activation 
range, power-on-reset cell 27 will always be inactive (not asserted). Above the 

10 over voltage detection (OVD) activation range, the over-voltage detector will 
generate an alarm. Below the over-voltage detector activation range, the 
over-voltage detector will not generate an alarm. 

In many process technologies the under voltage activation range and 
the POR activation range overlap. In this case, the under voltage detector is 

15 not implemented (i.e., it is tied off in design). Whenever, the under voltage 

detector is not implemented, the POR activation range should be set based on 
the VDD - 10 % requirement instead of VDD minimum to ensure that the 
under voltage violations will cause a POR reset. 

In the preferred embodiment the under voltage detection portion of 

20 over and under voltage detectors 26 monitors the core VDD voltage supply to 
ensure that the voltage level never drops below the minimum required core 
voltage for the given process. An error must not be detected when VDD is 
within the valid operating range of the device which is core VDD +/- 10%. 
In the preferred embodiment the under voltage detection portion of 

25 over and under voltage detectors 26 has a power down (PD) input 81 that can 
be used for IDDq testing. The output state of the device should not indicate 
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an error when powered down regardless of the core VDD value. The under 
voltage design also rejects noise on the power supply line. The under voltage 
detection portion of over and under voltage detectors 26 is capable of being 
routed with the digital logic and does not cause errors due to digital 
5 switching noise. 

The over voltage detection portion of over and under voltage detectors 
26 monitors the core VDD supply to ensure that the voltage level never rises 
above the maximum allowed core voltage for the given process. 
Additionally, an error must not be detected when VDD is within the valid 

10 operating range of the device which is core VDD +/- 10%. 

The over voltage detection portion of over and under voltage detectors 
26 also has a power down (PD) input 82 that can be used for IDDq testing. 
The output state does not indicate an error when powered down regardless 
of the core VDD value. The over voltage detection portion of over and under 

15 voltage detectors 26 is constructed in such a way to reject noise on the power 
supply line. 

Single event upset (SEU) detect monitor 24 tracks the logic operation 
and detects single or multiple bit errors within 256 clock periods. In the 
preferred embodiment the detection logic is fully digital logic implemented 
20 within integrated circuit 11. When a single event upset is detected, single 

event upset detect monitor 24 places an alarm on alarm line 49 or alarm line 
50. Control register 63 stores two error bits (r_err and p_err) for single event 
upset detect monitor 24 that are forwarded to single event upset detect 
monitor 24 on a line 76 and a line 77. 
5 Figure 1 shows use of single event upset detectors scattered 

throughout integrated circuit 11. Some of the single event upset detectors 
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are placed near protected logic 112 (e.g., cryptographic logic) that is being 
protected. Additional single event upset detectors are placed as far away 
from the protected logic as possible to be used for comparison. The number 
of single event upset detectors used is determined by the overall gate count of 
5 the integrated circuit 11. A good rule of thumb is about one counter for every 
15k-20k gates of cell based logic (do not include RAM or ROM in this 
calculation) in the design per logic block within integrated circuit 11. 

The single event upset detectors are represented in Figure 1 by a 
single event upset detector 114, a single event upset detector 115, a single 

10 event upset detector 116, a single event upset detector 117, a single event 
upset detector 118, a single event upset detector 119, a single event upset 
detector 120 and a single event upset detector 121. Figure 1 is not drawn to 
scale. The single event upset detectors are scattered throughout secure 
integrated circuit 11 in order to detect event that occur even in seemingly 

15 non-critical areas of secure integrated circuit 11. 

Single event upset detect monitor 24 (shown in Figure 2) within secure 
assurance logic 12 collects single event upset detection information from 
single event upset detector 114 via a data path 124. Single event upset detect 
monitor 24 within secure assurance logic 12 collects single event upset 

20 detection information from single event upset detector 115 via a data path 
125. Single event upset detect monitor 24 within secure assurance logic 12 
collects single event upset detection information from single event upset 
detector 116 via a data path 126. Single event upset detect monitor 24 within 
secure assurance logic 12 collects single event upset detection information 

25 from single event upset detector 117 via a data path 127. Single event upset 

detect monitor 24 within secure assurance logic 12 collects single event upset 
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detection information from single event upset detector 118 via a data path 
128. Single event upset detect monitor 24 within secure assurance logic 12 
collects single event upset detection information from single event upset 
detector 119 via a data path 129. Single event upset detect monitor 24 within 

5 secure assurance logic 12 collects single event upset detection information 
from single event upset detector 120 via a data path 130. Single event upset 
detect monitor 24 within secure assurance logic 12 collects single event upset 
detection information from single event upset detector 121 via a data path 
131. Single event upset detect monitor 24 within secure assurance logic 12 

10 collects single event upset detection information from single event upset 
detector 122 via a data path 132. 

Each of single event upset detectors 114 through 122 uses digital logic 
to detect single event upsets. For example bit registers, each composed of a 
flip-flop, within single event upset detectors are monitored for a state 

15 transition due to single event upset. The flip-flops are utilized in a 

predetermined pattern and then are monitored for errors that occur during 
operation. An error in the state transition can indicate, for example, a 
single event upset caused by radiation, alpha particles or some other 
operation error. 

20 A power-on-reset cell 27 provides a known state for the device when 

power is applied. Initializing to a known state is critical to a secure 
integrated circuit. Power-on-reset cell 27 uses the application of power to 
generate a reset output that is not released until the power has stabilized. 

The integrity of power-on-reset cell 27 is imperative for the security of 

25 integrated circuit 11. Current test strategies require that all elements of an 
integrated circuit should be powered down into a low power state for IDDq 
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testing. Since the initial state of any element on the device is only trusted 
when power-on-reset cell 27 is active, there is an external pin connected to a 
power down line 44 used to power down power-on-reset cell 27. The external 
pin cannot be trusted by secure assurance logic 12 such that it would bypass 
5 the power-on-reset cell 27 and result in an unknown state after power up. 
Ring oscillator (ROSC) 23 provides the reference clock for low 
frequency monitor 22. In addition ring oscillator 23 provides an oscillator 
clock (OSC CLK) on an output line 48. The oscillator clock is used for active 
zeroization. Ring oscillator 23 is fully tested via scan test modes by breaking 

10 the ring oscillator chain and inserting flip-flops that make the chain 
observable and controllable. 

The frequency value of the ring oscillator 23 can be tuned after layout 
using (OSC_CFG) input pins to time which tap point is used for the end of 
the ring oscillator 23. These configuration inputs must be fixed for the final 

15 layout of the device. Control register 63 (shown in Figure 3) stores a disable 
bit for ring oscillator 23 that is forwarded to ring oscillator 23 on a line 75. 

Pin reset line (PINRST_L) 43 is the external reset from the input pad 
of the integrated circuit. Since the pin reset (PINRST_L) is controlled 
outside the integrated circuit, it cannot be trusted. The pin reset is assumed 

20 to be asynchronous by the integrated circuit. The external reset must be 
asserted for at least one clock cycle to ensure that synchronization logic 32 
captures the reset. Synchronization logic 32 provides double 
synchronization for meta-stability. The pin reset (external reset) will not be 
propagated to the core as a reset for two clock periods when asserted. 

25 Secure assurance logic 12 can be used to implement active zeroization 

in a security device. Secure assurance logic 12 supplies a guaranteed valid 
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clock at all times by coupling the high and low frequency monitor. 
Whenever a high or low frequency error is detected, enabled and trapped, 
the switch clock (SWTICLK) signal is active on line 47. The SWTICLK 
signal can be used to multiplex the OSC_CLK signal on output line 48 with 
5 the system clock (prior to the clock tree). Since a device reset is issued based 
on the trapped violation, there is no requirement that this switch over be 
glitch free. Since the current clock may indeed be stopped, in the preferred 
embodiment this connection is made directly with a multiplexer. Once the 
switch over has occurred to the oscillator clock signal on output line 48, 
10 processor 123 (or other hardware logic) can make decisions about active 

zeroization based on the status register bits within status register 30 or the 
alarm output. 

Figure 5 is a simplified block diagram which explains operation 
power-on-reset logic. A power-on-reset signal on a line 153 is generated by a 

15 power-on-reset cell 154 (equivalent to power-on-reset cell 27 shown in Figure 
1), a delay (D) flip-flop 156 (equivalent to sync 33 shown in Figure 1) or a low 
frequency monitor 157 (equivalent to low frequency monitor 22 shown in 
Figure 1). The reset signals are collected by a logic OR gate 155. A power 
down (PD) signal is placed on a line 151. D flip-flop 156 is clocked by the 

20 system clock (CLK) placed on a line 152. Low frequency monitor 157 
monitors the frequency of the system clock (CLK). 

When power is applied to integrated circuit 11, power-on reset cell 154 
is powered down and integrated circuit 11 remains in a constant state (no 
reset is issued). 

25 If an attacker were to attempt to bypass power-on-reset cell 154 by 

asserting the power down signal on line 151, D flip-flop 156 assures that the 



BNSDOCiD: <WO 0045244A1 J_> 



WO 00/45244 PCT/US99/28289 

16 

system clock (CLK) cannot not be used without causing a reset of the 
integrated circuit. The reset causes integrated circuit 11 to be initialized to a 
known state. Low frequency monitor 157 prevents the system clock CLK 
from being stopped. That is, if the power down signal, generated by a power 
5 down pin connected to line 151, is asserted before integrated circuit 11 goes 
into a test mode (where low frequency monitor 157 is disabled), then 
integrated circuit 11 will go into a reset state if the system clock (CLK) is 
stopped. The result is that power-on-reset logic 27 cannot be bypassed 
effectively. 

10 Figure 6 is a simplified block diagram that models an implementation 

of power-on-reset cell 154. Power-on-reset cell 154 is implemented as a 
custom cell for a particular process technology. Power-on-reset cell 154 is 
constructed in such a way to reject noise on the power supply line. 

A reset (POR_L) output 158 of power-on-reset cell 154 must stay low 

15 for a minimum of 20 microseconds after power has stabilized, The stabilized 
value of the power rail must be a voltage level that is greater than the 
implemented process technology minimum operating voltage. 

Power down (PD) input 151 to power-on-reset cell 154 must not change 
the state of reset output 158. If power down input 151 is held high while 

20 power is applied, reset output 158 never releases the reset. If power down 
input 151 is asserted high after the power has been applied and the reset 
pulse has completed (greater than 20 microseconds after power is applied) 
then reset output 158 must remain high and not issue a reset. 

Figure 6 shows power-on-reset cell 154 modeled as an RC network 

25 consisting of a resistor 164 and a capacitor 165 connected to ground through 
line 166. VDD is placed on an input line 161. A buffer 162 forwards VDD to a 
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switch 163 controlled by power down input 151. When power down input 151 
is inactive (low) then capacitor 165 is allowed to charge. When the power 
down input 151 is asserted (high) capacitor 165 is not allowed to charge. 
Capacitor 165 is used to drive reset output 158 through a Schmitt trigger 167. 
5 Thus once capacitor 165 reaches the threshold (a time constant equal to 20 
microseconds), the reset output 158 is released. While in Figure 6, power- 
on-reset cell 154 is modeled as an RC network, actual implementation of the 
power-on-reset cell is dependent upon the technology utilized. 

The foregoing discussion discloses and describes merely exemplary 

10 methods and embodiments of the present invention. As will be understood 
by those familiar with the art, the invention may be embodied in other 
specific forms without departing from the spirit or essential characteristics 
thereof. Accordingly, the disclosure of the present invention is intended to 
be illustrative, but not limiting, of the scope of the invention, which is set 

15 forth in the following claims. 
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CLAIMS 

I Claim: 



1 1. An integrated circuit comprising: 

2 secure logic that requires protection; and, 

3 secure assurance logic that protects the secure logic, the secure 

4 assurance logic including: 

5 a plurality of protection modules for monitoring occurrence of 

6 insecure conditions, wherein each protection module monitors a different 

7 type of insecure condition, each protection module asserting an alarm 

8 signal when an associated insecure condition is detected, and 

9 storing means for receiving and storing the alarm signals 
10 asserted by the plurality of protection modules. 



1 2. An integrated circuit as in claim 1, wherein the storing means 

2 comprises: 

3 a first register for receiving the alarm signals; 

4 a second register for masking the alarm signals, the second register 

5 being used to prevent selected alarm signals from being propagated; and, 

6 a third register for storing alarm signals that have not been masked 

7 by the second register. 



1 3. An integrated circuit as in claim 1, wherein the plurality of 

2 protection monitors includes a high frequency monitor that detects when a 

3 monitored clock exceeds a predetermined frequency. 
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1 4. An integrated circuit as in claim 1, wherein the plurality of 

2 protection monitors includes a low frequency monitor that detects when a 

3 monitored clock is less than a predetermined frequency. 

1 5. An integrated circuit as in claim 1, wherein the plurality of 

2 protection monitors includes a single event detector monitor that monitors 

3 single event upsets within the integrated circuit. 

1 6. An integrated circuit as in claim 1, wherein the plurality of 

2 protection monitors includes a reset monitor that monitors an amount of 

3 times the integrated circuit is reset. 

1 7. An integrated circuit as in claim 1, wherein the plurality of 

2 protection monitors includes a voltage detector that monitors for invalid 

3 voltage levels. 

1 8. An integrated circuit as in claim 1, wherein the secure assurance 

2 logic additionally comprises a power-on-reset circuit for resetting the 

3 integrated circuit to a known state upon power-up of the integrated circuit. 

1 9. A method for protecting secure logic within an integrated circuit, 

2 the method comprising the following steps: 

3 (a) monitoring, by a plurality of protection modules, occurrence of 

4 insecure conditions, each protection module monitoring occurrence of a 

5 different type of insecure condition, including the following substep: 
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6 (a.l) asserting an alarm signal by a protection module from the 

7 plurality of protection modules, upon the protection module detecting an 

8 associated insecure condition; and, 

9 (b) receiving and storing alarm signals asserted by the plurality of 
10 protection modules. 

1 10. A method as in claim 9, wherein step (b) includes the following 

2 substeps: 

3 Cb.l) receiving the alarm signals into a first register; 

4 (b.2) masking the alarm signals in accordance with values in a 

5 second register; and, 

6 (b.3) storing in a third register alarm signals that have not been 

7 masked in substep (b.3). 

1 11. A method as in claim 10, additionally comprising the following 

2 step: 

3 (c) resetting the integrated circuit when an alarm signal is stored in 

4 the third register. 

1 12. A method as in claim 9, wherein step (a) includes detecting when 

2 a monitored clock exceeds a predetermined frequency. 

1 13. A method as in claim 9, wherein step (a) includes detecting when 

2 a monitored clock is less than a predetermined frequency. 
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1 14. A method as in claim 9, wherein step (a) includes detecting when 

2 single event upsets within the integrated circuit. 

1 15. A method as in claim 9, wherein step (a) includes monitoring an 

2 amount of times the integrated circuit is reset. 

1 16. A method as in claim 9, wherein step (a) includes monitoring for 

2 invalid voltage levels. 

1 17. A method as in claim 9, additionally comprising the following 

2 step: 

3 (c) resetting the integrated circuit to a known state upon power-up of 

4 the integrated circuit. 

1 18. Secure assurance logic within an integrated circuit, the secure 

2 assurance logic protecting secure logic, the secure assurance logic 

3 comprising: 

4 a plurality of protection modules for monitoring occurrence of 

5 insecure conditions, wherein each protection module monitors a different 

6 type of insecure condition, each protection module asserting an alarm 

7 signal when an associated insecure condition is detected, and 

8 storing means for receiving and storing the alarm signals 

9 asserted by the plurality of protection modules. 

1 19. Secure assurance logic as in claim 18, wherein the storing means 

2 comprises: 
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3 a first register for receiving the alarm signals; 

4 a second register for masking the alarm signals, the second register 

5 being used to prevent selected alarm signals from being propagated; and, 

6 a third register for storing alarm signals that have not been masked 

7 by the second register. 



1 20. Secure assurance logic as in claim 18, wherein the plurality of 

2 protection monitors includes at least one of the following: 

3 a high frequency monitor that detects when a monitored clock exceeds 

4 a predetermined frequency; 

5 a low frequency monitor that detects when a monitored clock is less 

6 than a predetermined frequency; 

7 a single event detector monitor that monitors single event upsets 

8 within the integrated circuit; 

9 a reset monitor that monitors an amount of times the integrated 

10 circuit is reset; and, 

11 a voltage detector that monitors for invalid voltage levels. 
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